A cyber espionage group linked to China has remotely looted mailboxes using flaws recently discovered in Microsoft’s server software.
The information was released last Tuesday (2) by the company and external researchers and gives an example of how the common use of programs can be used to shape a wide online network.
Microsoft said the hackers’ action made use of four previously undetected vulnerabilities in different versions of the software and was the work of a group it calls HAFNIUM, which it described as an entity sponsored by China, but which operates outside the country.
In a separate publication, cybersecurity company Volexity said that in January it saw hackers use one of the vulnerabilities to remotely steal “the entire contents of multiple user mailboxes”.
All they needed to know was the details of the Exchange server and the account they wanted to loot, said Volexity. Microsoft has already released fixes for the flaws.
Exchange is a Microsoft corporate or student email account.
“Exchange Server is used primarily by corporate customers, and we have no evidence that hackers’ activities target individual consumers or that these attacks have an impact on other Microsoft products,” said Tom Burt, corporate vice president at Microsoft.
China is opposed to all forms of cyber attacks, China’s Foreign Ministry spokesman Wang Wenbin told a news conference in Beijing on Wednesday.
“China wants the media and relevant companies to take a professional and responsible attitude and base the characterizations of cyber attacks on ample evidence, rather than unfounded assumptions and accusations,” he said.
Before Microsoft’s announcement, hackers’ increasingly aggressive movements began to attract the attention of the cybersecurity community.
Mike McLellan, director of intelligence at Secureworks at Dell Technologies, said that prior to Microsoft’s announcement he noticed a sudden spike in Exchange server activity during Sunday night, with about 10 affected customers at his company.
Microsoft’s suite of products has come under scrutiny since the attack on SolarWinds, the Texas-based software company that served as a springboard for various government and private sector intrusions.
In other cases, hackers have taken advantage of the way customers have configured their Microsoft services to compromise their targets or to dive further into the affected networks.
The hackers who pursued SolarWinds also violated Microsoft itself by accessing and downloading the source code – including elements of Exchange, the company’s email product and calendar.
McLellan said that, for the time being, the hacking activity he saw seemed focused on spreading malicious software and preparing the ground for a potentially deeper intrusion, rather than moving aggressively to networks immediately.
“We haven’t seen any subsequent activity yet,” he said. “We will find many companies affected, but fewer companies actually exploited.”
Microsoft said the targets include infectious disease researchers, law firms, higher education institutions, defense companies, policy think tanks and non-governmental groups.